Behavioral anomaly detection systems are known, but typically such systems must be provided an opportunity to observe a system's behavior during a training period, in which the system is assumed to be secure. Later, in a detection period, behavior that deviates from the learned and assumed normal behavior may be flagged as anomalous and subjected to further examination. Such systems may flag as anomalous behavior that may not present any security concern, such as authorized changes in software (e.g., updates and upgrades), changes in user behavior that are authorized and/or expected, e.g., due to a change in role, etc. Any deviation from the “normal” behavior learned based on the training data may be flagged.
Techniques have been disclosed to compare, e.g., simultaneously and in real time, two or more implementations of a same system or component. For example, two servers that should operate in the same way may be sent a same request. If the responses, do not match, responsive action may be taken.
It would be useful to be able to detect anomalous behavior without requiring redundant processing of the same request by multiple implementations and without necessarily flagging as anomalous all departures from behavior a particular system was observed to exhibit during a prior learning period.